A practicing CISO's perspective on managing information security in large enterprises.

Monday, April 13, 2009

Google Reaches Around the Firewall

Hiding behind the firewall just got a bit tougher as Google announed it's new Security Data Connector that allows Google Apps even more access to your corporate goodies.

A lot of security folks have a what-the-$*%#@ knee-jerk reaction when they hear about stuff like this. But the truth is that when you are using Google Apps you're already in pretty deep with Google. Skirting the firewall isn't going to really change things one way or the other.

Secure Data Connector is another step in what is probably an inevitable move to cloud computing. I hate to use such a nebulous - pun intended - term, so let me put it another way - the old days of companies owning their own firewalled data centers and only working off their own equipment are clearly numbered. Using services like Google Apps has always been first a business decision, then a contractual one, and only lastly a security one.

Cloud computing is really nothing more than outsourcing non-essential IT functions. The reason outsourcing happens is because it is cheaper and more efficient for others to provide a service than to do it in house. Why would running a data center or an operating system be any different?

The main difference, of course, is legal. There are decades of law and precedents that govern what happens when a company has a fire in the building they lease. There is very little law or precedent to govern what happens when a company's Google Apps application is hacked. And because you have very little ability to audit (much less enforce) security measures on a third party vendor, the legalese becomes all the more important.

Moving to the cloud (a.k.a. owning and managing less of your non-workstation infrastructure) also requires a serious change in a company's entire security narrative. Most organizations still have a network-centric way of thinking about security. This is reflected not only in their security spending priorities but also in their strategic approach to security - for example, many companies have relatively open internal systems that rely on the inability of an intruder to get onto certain parts of the network. The prevalence of network-centric vs. host-centric or data-centric security is clearly visible in the prioritization of security requirements that PCI recently published.

Part of this network-centric approach is justified because it reflects the real world legal importance of owning and defending your data. There is also a self-enforcing cycle at play here - as long as network-centric security remains the norm, it is by definition the best practice/commonly used mechansim that is referenced in so many contracts and regulations. You may have some explaining to do to the CEO if your novel Web 2.0/cloud computing/ (insert more buzzwords here) security model was hacked. If a defense-in-depth network with an expensive IDS and lots of pricey Cisco gear gets hacked, well stuff happens. To paraphrase an overused expression, no one ever got fired for installing too many network security products.